Privacy Policy

Finsibility ("we", "our", "us") respects your privacy. This Policy explains how we collect, use, and safeguard your information when you use the Finsibility mobile application, website (if applicable), related services, and communications with us.

1. Information we collect

1.1 Account Data

• Email address (required for account creation and communication)
• Username (for account identification)
• Optional profile photo (if you choose to upload one)
• Password (managed by our authentication provider, AWS Cognito, which hashes and salts passwords — we do not store passwords in our own databases)

1.2 Financial Data

• Financial model parameters and inputs you provide
• Financial calculations and projections you generate
• Documents you upload through the bulk import feature (Creator accounts only), including the full text content of spreadsheets, PDFs, and images — see Section 10 ("Bulk Document Import") for details on how this data is handled

1.3 Usage Data

We collect analytics data to improve the Service, including:

• Screens visited and features used
• Session length and frequency of use
• Device information (device type, operating system, app version)
• Performance metrics and error logs
• General location data derived from IP addresses

Most usage analytics data is aggregated and anonymized. However, certain operational and billing-related logs (such as transaction processing logs, subscription lifecycle events, and error diagnostics) may contain user identifiers to enable billing dispute resolution, fraud detection, customer support, and system debugging. These operational logs are retained for 30 days (90 days for crash diagnostics) and are used solely for the purposes described in Section 2 of this Policy.

1.4 Operational and Billing Logs

In addition to anonymized analytics, we maintain operational logs that may include:

• User identifiers associated with purchase transactions, subscription changes, and billing events
• IP addresses associated with API requests (used for security monitoring and fraud prevention)
• Error diagnostics that may include user identifiers to enable targeted troubleshooting

These logs are necessary for processing transactions, managing subscriptions, resolving billing disputes, preventing fraud, and ensuring service reliability as described in Sections 2.1 and 2.2. Operational logs are retained for 30 days (90 days for crash diagnostics) and are not shared with third parties except as described in Section 3.

2. How we use data

2.1 Service Provision

We use your data to:

• Provide and maintain the service
• Generate financial projections and calculations based on your inputs
• Surface relevant community alternatives and insights based on your portfolio and interests
• Improve app performance and stability
• Communicate updates and security alerts
• Authenticate your identity and secure your account
• Process transactions and manage subscriptions
• Respond to your inquiries and provide customer support

2.2 Legal Basis for Processing

We process your personal data based on:

• Contractual necessity: To provide the Service and fulfill our obligations under our Terms of Service
• Legitimate interests: To improve the Service, ensure security, and prevent fraud
• Consent: Where you have provided explicit consent (such as for marketing communications or enabling voice narration via a third-party text-to-speech provider)
• Legal obligations: To comply with applicable laws and regulations

2.3 Financial Data Usage

Important: Financial data you provide (including account balances, transactions, and financial model parameters) is used solely to:

• Generate mathematical projections and forecasts based on your inputs and assumptions
• Perform calculations and analyses using our financial modeling tools
• Provide informational insights and comparisons

We do NOT use your financial data to:

• Provide personalized financial advice or recommendations
• Make investment decisions on your behalf
• Act as a financial advisor, broker, or investment advisor
• Provide portfolio optimization or portfolio rebalancing services
• Guarantee or promise specific financial outcomes

All projections and forecasts generated by the Service — whether by you, by our AI analysis tools, or by community contributors — are based on assumptions and mathematical models. They are not guarantees of future performance. No one can predict the future. Where users share models or analyses through the community feed, such sharing is between peers and does not constitute advisory services from Finsibility. Please refer to our Terms of Service for important disclaimers regarding financial projections and the limitations of our Service.

3. Data sharing

3.1 We Do Not Sell Your Personal Data

We do not sell, rent, lease, or trade your personal information or individual financial data to third parties. We do not share your personal data with advertisers or marketing partners for their own purposes.

We may use aggregated, anonymized data — which cannot be used to identify any individual user — for purposes such as understanding usage trends, improving the Service, or sharing general insights. This aggregated data does not include your name, account details, or any information that could identify you.

3.2 Limited Sharing

We share your data only in the following limited circumstances:

Service Providers: We share data with infrastructure and service providers who help us operate the Service, including:

• AWS (Amazon Web Services) – Cloud hosting and data storage
• Apple, Google – Subscription payment processing
• Analytics providers – Anonymous usage analytics (data is aggregated and anonymized)
• Anthropic – AI-powered financial analysis and comparison (receives only sanitized and anonymized financial parameters for standard features — see Section 10; bulk document import sends full file contents — see Section 10 "Bulk Document Import")
• ElevenLabs – AI voice narration features, opt-in with explicit consent (receives narration text that may include financial amounts, portfolio structure, and community content names — see Section 10)

The specific providers we use may change over time. We will update this list when material changes occur. Our use of these providers is governed by their standard terms of service, which include data handling and usage provisions. For information about a provider's own security practices and data handling commitments, please refer to their published terms and trust documentation.

Legal Requirements: We may disclose your data if required by law, court order, government regulation, or to:

• Comply with legal processes or government requests
• Enforce our Terms of Service
• Protect the rights, property, or safety of Finsibility, our users, or others
• Detect, prevent, or address fraud, security, or technical issues

Business Transfers: In the event of a merger, acquisition, sale of assets, or bankruptcy, your data may be transferred to the acquiring entity. We will make reasonable efforts to ensure the acquiring party is informed of the commitments made in this Policy and will notify you before your data is transferred or becomes subject to a different privacy policy.

With Your Consent: We may share your data with third parties when you have given us explicit consent to do so.

4. Security

4.1 Data Protection Measures

Production Environment:

We implement industry-standard security measures to protect your data:

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2+
• Encryption at rest: Data stored in our production databases is encrypted using AES-256 encryption
• Access controls: Access to production systems is restricted through least-privilege roles and multi-factor authentication
• Security monitoring: We monitor our systems for vulnerabilities using automated scanning and managed security rules
• Secure infrastructure: Our infrastructure is hosted on AWS (Amazon Web Services)

Beta and Pre-Production Environments:

During beta testing and pre-production phases, data is encrypted both in transit and at rest. However, pre-production environments may use less restrictive access controls and data isolation practices than production. We recommend exercising caution with highly sensitive financial information during beta testing.

4.2 Data Breach Notification

In the event of a data breach that may affect your personal information, we will notify you and relevant authorities as required by applicable law, typically within 72 hours of becoming aware of the breach. We will provide information about the nature of the breach, the data affected, and steps we are taking to address it.

4.3 Your Role in Security

You play an important role in keeping your data secure:

• Use a strong, unique password for your account
• Do not share your account credentials with others
• Log out of the Service when using shared devices
• Notify us immediately if you suspect unauthorized access to your account

5. Your choices and rights

5.1 Data Access and Portability

You have the right to access, review, and export your personal data. You can request a copy of your data via Account → Security → Export Data or by contacting us at privacy@finsibility.com.

5.2 Data Deletion

You can request deletion of your account and all associated data at any time via Account → Security → Delete Account or by contacting us at privacy@finsibility.com. Upon receiving your request, we will promptly delete or anonymize your personal data, except where we are required to retain it by:

• Legitimate business purposes: Resolving disputes, enforcing agreements, or preventing fraud
• Legal obligations: Where required by applicable law, regulation, or court order

We will notify you if we are unable to delete certain data due to legal requirements.

5.3 Data Correction

You can update your account information at any time through your account settings. If you need assistance correcting data, contact us at privacy@finsibility.com.

5.4 Communications

We do not send marketing emails. Communications you receive from Finsibility are limited to essential service-related messages such as security alerts, account updates, and transactional notifications. You can manage push notification preferences under Account → Preferences → Notifications.

5.5 California Privacy Rights (CCPA)

If you are a California resident, you have certain rights under the California Consumer Privacy Act (CCPA), including:

• Right to know what personal information we collect, use, and share
• Right to delete your personal information (subject to certain exceptions)
• Right to opt-out of the sale of personal information (we do not sell your personal information)
• Right to non-discrimination for exercising your privacy rights

To exercise these rights, contact us at privacy@finsibility.com. We will respond within 30 days.

5.6 Other U.S. State Privacy Rights

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or any other U.S. state with a comprehensive consumer privacy law, you may have similar rights to those described in Section 5.5 above, including the right to access, delete, and correct your personal data, and the right to opt out of the sale of personal information (which we do not engage in). To exercise any privacy rights under applicable state law, contact us at privacy@finsibility.com. We will respond within the timeframe required by your state's applicable law.

Future Expansion: Finsibility is currently available in the United States. As we expand to other jurisdictions, we will update this Privacy Policy to include applicable privacy rights, including GDPR rights for European Economic Area (EEA) residents when we launch in those regions.

6. Children and Age Restrictions

Finsibility is not directed to children under 18 years of age. You must be at least 18 years old to use the Service. We do not knowingly collect personal information from individuals under 18. If we become aware that we have collected personal information from someone under 18, we will delete that information immediately. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@finsibility.com.

COPPA Compliance: While the Children's Online Privacy Protection Act (COPPA) applies to children under 13, our Service requires users to be 18 or older. We do not knowingly collect information from anyone under 18.

7. Data Retention

7.1 Retention Periods

We retain your personal data for as long as necessary to provide the Service and fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law:

• Account data: Retained while your account is active and promptly deleted upon account deletion, except where retention is required by law
• Financial data: Retained while your account is active and deleted upon account closure, except where retention is required by applicable law or for legitimate business purposes such as dispute resolution
• Usage data: Retained in anonymized, aggregated form for analytics and service improvement (indefinitely, as it cannot be used to identify you)
• Legal requirements: Some data may be retained longer if required by law, regulation, court order, or to resolve disputes or enforce agreements

7.2 Data Deletion

When you delete your account, we will promptly delete or anonymize your personal data, except where retention is required by law or for legitimate business purposes.

8. Data Location and International Transfers

Current Service Area: Finsibility is currently available in the United States. Your data is stored and processed in the United States.

Service Provider Locations: Our service providers may process your data in the United States and other countries where they operate. Each provider's handling of your data is governed by their own terms of service and privacy policies. For information about a specific provider's data practices, please refer to their published terms.

Future Expansion: As we expand to other jurisdictions, we will implement appropriate safeguards for international data transfers, including standard contractual clauses and other mechanisms required by applicable law. We will update this Privacy Policy to reflect any changes in data processing locations or transfer mechanisms.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

9.1 Material Changes

A "material change" is one that meaningfully affects your privacy rights or how we handle your data, including but not limited to:

• Collecting new categories of personal information not previously described
• Sharing data with new categories of third-party service providers
• Changing how long we retain your data or how we delete it
• Reducing your rights or choices regarding your data
• Changing the purposes for which we use your data
• Moving data storage or processing to new jurisdictions

We will notify you of material changes by:

• Posting the updated Policy in the Service
• Updating the "Last updated" date at the top of this Policy
• Providing notice through the Service or via email (if you have provided an email address)

Material changes will take effect 30 days after posting. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy. If you do not agree to the changes, you should stop using the Service and delete your account.

9.2 Non-Material Changes

Non-material changes — such as fixing typos, clarifying existing language without changing its substance, updating a service provider's name when the data flow is unchanged, or reorganizing sections for readability — take effect immediately upon posting and do not require advance notice.

10. AI & Machine Learning Privacy Protections

Our Commitment

Finsibility uses AI to power a range of AI-assisted experiences, including intelligent navigation, workflow automation, full and partial form filling, analytical (non-advisory) narration, and comparative analysis. All AI-powered features are gated behind explicit user consent within the app — no AI processing occurs until you actively choose to use an AI feature. We have implemented technical safeguards to keep your identity and personal information separate from AI interactions. Finsibility does not provide portfolio optimization, portfolio rebalancing, or financial advisory services. We are a platform that enables peer-driven financial analysis and comparison.

What We Send to AI Providers

Our AI-powered analysis features send sanitized financial parameters to AI service providers:

Information sent to AI:

• Financial amounts (loan balance, contribution amounts)
• Interest rates and growth rates
• Model types (401k, mortgage, investment account)
• Categorical data (payment frequency, account type)
• Financial date fields are generally converted to relative durations (e.g., "38 months from now")
• Certain contextual dates, such as graph time-range boundaries and the current date, may be sent in their original form when needed for accurate analysis

Information not sent to AI:

• Your name, username, or display name
• Item names you've created (e.g., "My Tesla 401k") — replaced with generic labels before transmission
• Notes, descriptions, or freeform text you've written
• Email addresses, phone numbers, or contact information
• Account IDs, user IDs, or database identifiers — anonymized before transmission
• Information about collaborators, editors, or beneficiaries
• Null or empty fields are stripped before transmission

How We Protect Your Data

We apply multiple layers of sanitization on both your device and our servers:

1. Client-side name replacement – Your device replaces identifiable item names with category-based labels before data leaves your phone

2. Server-side PII filtering – Our servers apply pattern-based filtering to catch and remove identity-linked fields before contacting any AI service

3. Identifier anonymization – Database record IDs are replaced with anonymous sequential references before being sent to AI and remapped back in responses

4. Data minimization – Empty and unnecessary fields are stripped from payloads before transmission

5. Date conversion – Financial date fields within model data are converted to relative offsets. Note: some contextual dates (such as graph viewport boundaries used for time-range analysis) may be sent as-is to enable accurate results

6. Audit logging – AI requests are logged with privacy compliance verdicts

Bulk Document Import (Creator Accounts)

Finsibility offers a bulk document import feature that allows Creator account holders to upload spreadsheets, PDFs, images, and other documents for AI-powered extraction of financial items.

Important: Unlike the standard AI-assisted features described above, the bulk document import sends the full, unsanitized contents of your uploaded document to our AI service provider. This is necessary because the AI must read the raw document to identify and extract financial items from arbitrary formats and layouts.

What is sent to AI during bulk import:

• The complete text content of the uploaded file (all pages, sheets, rows, and columns)
• All numbers, text, names, labels, headers, and any other data present in the document
• Any personally identifiable information, account numbers, or sensitive data that appears in the document

What is NOT sent to AI during bulk import:

• Your Finsibility username, account ID, or email address
• Your Finsibility database identifiers

Safeguards:

1. Creator-only access — Bulk document import is restricted to Creator accounts. Consumer accounts must add items manually or use the standard AI-assisted features, which apply privacy-preserving sanitization before any data is sent to AI providers (see "How We Protect Your Data" and "AI Voice Narration" above for details on the specific safeguards applied to each provider)

2. Explicit consent — Before any document is analyzed, you are presented with a clear disclosure explaining that the full file contents will be sent to the AI service, and you must explicitly acknowledge this before proceeding

3. Provider data handling — Document content is sent for processing and is subject to the AI provider's own data handling and retention policies. We do not control how long providers may retain data for their operational purposes (such as abuse monitoring). Please refer to the provider's published terms for details

4. Local extraction — For images, OCR text recognition is performed on your device before the extracted text is sent to the AI service

Supported formats: CSV, TSV, TXT, Excel (.xlsx, .xls), PDF, and images (JPG, JPEG, PNG, HEIC via on-device OCR).

We strongly recommend that you review your documents for sensitive personal information before uploading them for bulk import. If your document contains data you do not wish to share with an AI service provider, you should use the standard manual entry or AI-assisted features, which apply full sanitization.

AI Voice Narration

Finsibility includes an optional AI voice feature that provides spoken narration of analysis results using a third-party text-to-speech service.

Voice narration requires your explicit consent. You can enable or disable it at any time from the Voice Assistant settings. When disabled, no data of any kind is transmitted to the voice provider.

What is sent to the voice service:

• Narration text generated by our AI, which may include financial amounts, percentages, and comparative metrics from your portfolio analysis
• Portfolio structure information such as group names you've created and item counts
• Community Feed content names (e.g., alternative product names)
• Model type descriptions using generic category labels (e.g., "your 401k") where possible

What we take steps to prevent from being sent:

• Your name, username, or personal identifiers
• Individual portfolio item names you've created — we apply multiple layers of name replacement to substitute generic category labels. On-screen display restores your real names; the voice stream uses generic labels where this sanitization is applied.
• Account numbers, email addresses, or contact information
• Database IDs or record identifiers

Note that not all narration paths apply the same level of sanitization. User-created group names and certain descriptive text may pass through to the voice service. Our backend performs a PII scan on every voice request and blocks transmission if structured PII (emails, database IDs, phone numbers) is detected, but this scan does not catch all forms of personal information that may be embedded in user-created names or text. The voice provider's handling and retention of narration data is governed by their own terms of service.

Our Security Practices

• Privacy-by-Design – We minimize PII exposure in AI interactions through the sanitization layers described above
• Encrypted Transit – All communications with AI and voice providers use TLS encryption
• Audit Logging – We log sanitization events for security monitoring
• CCPA – We support the data access, deletion, and opt-out rights described in Section 5 of this Policy

Your Control

• All AI analysis features are opt-in (tap the 🚀 to use them)
• Voice narration is opt-in — requires explicit consent and can be toggled off anytime from Account → Voice Assistant. When off, no data is sent to the voice provider.
• You can request an export of your data via Account → Security → Export Data or by contacting us at privacy@finsibility.com
• You can delete your account and all data via Account → Security → Delete Account or by contacting us at privacy@finsibility.com
• We do not currently use your data to train custom AI models. If this changes, we will notify you in advance and require your explicit opt-in consent before any of your data is used for model training.
• AI analysis data sent to providers is subject to those providers' own data handling and retention policies
• You can contact us with privacy questions: privacy@finsibility.com

---

11. Advertisements

11.1 Right to Display Advertisements

We reserve the right to display advertisements on our platform. Advertisements may appear within the Service interface, and we may partner with third-party advertising networks to serve ads. If we display advertisements, they will be clearly identified as such.

11.2 Advertisements and Your Data

Important: Even if we display advertisements, we will not sell your personal data to advertisers. Advertisements may be targeted based on:

• General, anonymized or pseudonymized usage patterns
• Contextual factors (such as the type of financial model you are viewing)

If we use third-party advertising partners, we will disclose them in this policy and provide you with the ability to opt out of personalized advertising. We will not share your financial data or account details with advertisers. We comply with applicable opt-out requirements, including Apple's App Tracking Transparency framework and any "Do Not Sell or Share" rights under applicable law.

11.3 Ad-Free Options

We do not currently display advertisements. If advertisements are introduced in the future, premium subscription tiers may include an ad-free experience. We will update this policy and notify users in advance of any such changes.

12. Local Storage and Device Data

12.1 Data Stored on Your Device

Finsibility is a mobile application and does not use browser cookies. We store data locally on your device to operate the Service, including:

• Authentication tokens: To maintain your session and keep you signed in
• Preferences and settings: To remember your app configuration
• Cached data: To improve performance and enable offline access where applicable

12.2 Device Identifiers

We may use anonymized device identifiers for analytics purposes (as described in Section 1.3). We do not use device identifiers for advertising or to track you across other applications.

13. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices, cybersecurity practices, or content of these third parties.

In particular, the Community Feed screen includes an "Action" button on posts that may direct you to external websites outside of the Finsibility app. Much like searching for a financial product through any internet-based link-redirecting service, navigating to external links carries inherent risks. These external websites may have security practices, privacy practices, or content that are outside of Finsibility's control and may not meet the same standards we uphold within the Service. External links could potentially lead to websites that are deceptive, fraudulent, or compromised — including sites designed to promote misleading financial schemes or steal personal and financial information. By navigating to any external link, you acknowledge that you are leaving the Finsibility app and that your interaction with the third-party site is governed solely by that site's own policies.

Finsibility is committed to investing in content moderation and ensuring that creators with strong reputations receive greater visibility in the Community Feed. However, we strongly encourage you to exercise caution and due diligence before clicking on or navigating to any external link. Be wary of offers that seem too good to be true, requests for sensitive financial information, or sites that appear suspicious or unfamiliar. Always review the destination URL, the third party's privacy policy, and their security practices before providing any personal information or engaging with their content.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: privacy@finsibility.com

For California privacy rights (CCPA): privacy@finsibility.com

We will respond to your inquiry within 30 days.